The eFraudNetwork published a survey last week as part of the RSA conference.  The purpose of the survey was to “…try and understand how online fraud and data breaches are impacting multiple industries and organizations.” 

The survey covered many topics including data breaches, cross-industry information sharing, the Heartland breach, and spending to prevent fraud.

One the topics near and dear to my heart was the question that asked about attack types.  The answers to this question showed that malware and viruses are at the top of people’s minds – which was to be expected.  What I didn’t expect, though, was the percent of people who said that they have seen attacks against the business logic of their website.

Almost 20% of people said they had seen attacks against the business logic of their site.  While this may seem like a small number to some of you, it is bigger than I was expecting.  Attacks against business logic have been going on for years, but it has only been in the last year or so that the industry is recognizing them for what they are and taking notice of them. 

I was thrilled to see that 20% of people understand that it is the business logic of their website that is allowing attacks.  I’ll be very curious to see how this number changes when the eFN does a similar study next year, especially since it was made clear in the study that business logic attacks are one of the most dangerous attacks against a website.

Is anyone else surprised the number is so high?

At the RSA Conference 2009 – day 2.

Normally blogging from a conference I try to be upbeat and positive on the speakers (I’m usually a glass-half-full guy), but I just can’t say I was wowed today by the keynotes. A lot about collaboration – can’t go wrong there. Definitely a couple mentions about how attacks are now directed at the application layer – can’t agree more, this is why we have Silver Tail. However, nothing inspiring. Anyone disagree?

Spent much of the day in meetings with potential customers and partners – great feedback and a lot of excitement about what we are doing and about our announcements yesterday. Personal note: I’ve noticed an interesting trend of many of my friends from the software development days are now in the security space – must be where all the innovation is happening!

Enjoyed Jeremiah Grossman’s session on web hacking techniques, though a little technical for me – but I get the picture: the list of top web hacking techniques never goes away… don’t need to be too technical to understand that. Jeremiah filled a very large room in the last session of the day (5.40pm) – testament to the speaker.

I did discover a new (new to me) security news site, threatpost. Good format.

The after parties were in ernest, with even bigger ones scheduled for tomorrow night. See you there…

We are at the RSA Conference 2009 starting today with a couple of interesting pre-conference events.

First, the eFraudNetwork meeting was held today where Laura Mather moderated a panel of fraud experts from Bank of America, Yahoo! and Medicare/Medicaid. The panel discussed ideas and best practices for protecting customers – everything from encrypting data, education and awareness, and tracking perpetrators of online crime. The panel was titled, “Protecting Customers: Case Studies from Leading Enterprises.”

The Innovation Sandbox was held highlighting ten (out of 50+) new companies who had creative ideas in the area of security. A good mini-conference to help promote the new, young startups get a little more attention. A couple of interesting companies, in my opinion, include Purewire (SaaS-based protection for enterprise client machines) and Behaviosec (behavior analysis of the user on how they interact with their machine: typing, mouse movements, etc.). The most entertaining was seeing the executives pitch their company in 3 minutes, which the winner, AlertEnterprise, did just that – plus, they had the best visually appealing application – hard to beat 3-D images.

Lastly, the welcome reception was a good way to get started on seeing the expo floor… booth discussions are so much better done over a beer.

Looking forward to tomorrow’s keynotes and Jeremiah Grossman’s Top Ten Web Hacking Techniques of 2008 – usually some good business logic abuse in there!

I have the privilege of attending the eFraudNetwork day as part of the 2009 RSA security conference.  Prior to the conference, the eFN people had done a survey on the attacks banks and other websites are seeing.  Most of the data wasn’t surprising: identity theft was a big one.

Something that was surprising, though, was that almost 20% of respondents saw attacks against application logic.  When I saw that question in the survey I was worried that people wouldn’t know how to define application logic attacks.  It was very interesting that people are definitely seeing this type of attack.

While 20% seems small, my hypothesis is that most people are getting hit by this type of attack, but 1) many of them don’t know what they are called and 2) many of them don’t understand yet that their websites are being impacted by this type of attack.

I’ll be anxious to see the results of this study going forward to see how this number changes.